Microsoft NCSI in service or as we were looking for a forgotten netbook
It would seem that the usual story - a classmate forgot a netbook at the university, but the coincidence gave the idea of using the standard Windows function to be able to determine the last places the device went to the network.
Microsoft NCSI or Network Connectivity Status Indicator is a function for testing the Internet connection in Windows Vista / 7/8. It shows a yellow exclamation mark on the network connection icon when there is no internet connection, or it gives a warning about the possible need for network authentication via a browser.
You can read more on Technet , but I will briefly describe the essence of the work:
When connecting to a network, Windows tries (for IPv4):
1) Go to www.msftncsi.com/ncsi.txt and wait for a 200 OK response with the body of Microsoft NCSI
2) Determine the IP dns.msftncsi.com and wait for a response 131.107.255.255
')
If both items give the expected result - it is considered that the network has access to the Internet
If the file is unavailable and the IP is determined correctly, a notification is displayed about the possible need for network authentication through the browser.
If both steps do not produce the expected results - it is considered that the network does not have access to the Internet.
Addresses, expected responses and the actual operation of this function are configured in the registry at
When I learned about the principle of NCSI, I had an idea to change the parameters on my server (both because of paranoid mood and interest).
Thinking, I decided to use the existing logic for the convenience of checking for problems with the Internet at home. The traditional states were “everything works fine”, “there is no connection at all (even to the provider's servers)” and “access only to the provider's local network”. As a result, I set up a DNS check for one of the provider's resources (available, including from the outside), and a check for the receipt of the file on my VPS. Thus, if, with problems with the Internet, a message is displayed to me that you need to log in, then the provider’s problem is most likely the problem at the exit, and there’s no point in calling to understand. Internet is absent at least in the neighborhood.
Such a system, of course, occasionally crashed - when picking VPS or problems at the home provider when connecting from the outside, a false status was issued, but such problems were rare.
Having learned about my idea, a friend sitting on the same provider, made himself similar settings on their home devices, setting up a file availability check on my VPS.
I think many have already guessed about the principle of search ...
In the evening of day X, when talking, an acquaintance writes that apparently the netbook at the university has forgotten. It’s most likely to go almost through the whole city, and as far as I remember, I forgot in my office, i.e. not critical. Just do not remember which of those where there were pairs - whether he got him after the first pair or not.
There would be no article if I hadn’t experimented on this day after talking to the web server on that same VPS. While searching for the necessary log file in the list by domain names, my eye caught on the log of the NCSI subdomain and remembered that my friend had NCSI configured on my server! Thus, one could guess about the last place the netbook was turned on by the latest IP and time, since The university has several WiFi points with different external IPs and all have been saved for auto connection. After seeing the log and asking a couple of questions to a friend, I told him where he most likely forgot the netbook. The next day, a friend immediately found a netbook in the intended audience.
The result was an interesting idea - to configure each device to request a file from its server, specifying different file names for each device and setting up storage of a separate log on the server. When connected to a network, an IP will appear in the logs, which can help in the search if something like this happens. Of course, IP cannot say anything in all situations, but in some situations you can be sure that you have forgotten to say it at work or at the university, and not somewhere else. The truth is, the question remains: “Someone turned on the laptop, but the user has a password” - will the laptop connect to the saved network without logging in or not?
The idea also gives negative use cases - you can follow the computer connections for other purposes, but I think that they should not be discussed here.
Do not lose your gadgets!
What is Microsoft NCSI?
Microsoft NCSI or Network Connectivity Status Indicator is a function for testing the Internet connection in Windows Vista / 7/8. It shows a yellow exclamation mark on the network connection icon when there is no internet connection, or it gives a warning about the possible need for network authentication via a browser.
You can read more on Technet , but I will briefly describe the essence of the work:
When connecting to a network, Windows tries (for IPv4):
1) Go to www.msftncsi.com/ncsi.txt and wait for a 200 OK response with the body of Microsoft NCSI
2) Determine the IP dns.msftncsi.com and wait for a response 131.107.255.255
')
If both items give the expected result - it is considered that the network has access to the Internet
If the file is unavailable and the IP is determined correctly, a notification is displayed about the possible need for network authentication through the browser.
If both steps do not produce the expected results - it is considered that the network does not have access to the Internet.
Addresses, expected responses and the actual operation of this function are configured in the registry at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\InternetPrehistory
When I learned about the principle of NCSI, I had an idea to change the parameters on my server (both because of paranoid mood and interest).
Thinking, I decided to use the existing logic for the convenience of checking for problems with the Internet at home. The traditional states were “everything works fine”, “there is no connection at all (even to the provider's servers)” and “access only to the provider's local network”. As a result, I set up a DNS check for one of the provider's resources (available, including from the outside), and a check for the receipt of the file on my VPS. Thus, if, with problems with the Internet, a message is displayed to me that you need to log in, then the provider’s problem is most likely the problem at the exit, and there’s no point in calling to understand. Internet is absent at least in the neighborhood.
Such a system, of course, occasionally crashed - when picking VPS or problems at the home provider when connecting from the outside, a false status was issued, but such problems were rare.
Having learned about my idea, a friend sitting on the same provider, made himself similar settings on their home devices, setting up a file availability check on my VPS.
I think many have already guessed about the principle of search ...
Day X
In the evening of day X, when talking, an acquaintance writes that apparently the netbook at the university has forgotten. It’s most likely to go almost through the whole city, and as far as I remember, I forgot in my office, i.e. not critical. Just do not remember which of those where there were pairs - whether he got him after the first pair or not.
There would be no article if I hadn’t experimented on this day after talking to the web server on that same VPS. While searching for the necessary log file in the list by domain names, my eye caught on the log of the NCSI subdomain and remembered that my friend had NCSI configured on my server! Thus, one could guess about the last place the netbook was turned on by the latest IP and time, since The university has several WiFi points with different external IPs and all have been saved for auto connection. After seeing the log and asking a couple of questions to a friend, I told him where he most likely forgot the netbook. The next day, a friend immediately found a netbook in the intended audience.
Conclusion
The result was an interesting idea - to configure each device to request a file from its server, specifying different file names for each device and setting up storage of a separate log on the server. When connected to a network, an IP will appear in the logs, which can help in the search if something like this happens. Of course, IP cannot say anything in all situations, but in some situations you can be sure that you have forgotten to say it at work or at the university, and not somewhere else. The truth is, the question remains: “Someone turned on the laptop, but the user has a password” - will the laptop connect to the saved network without logging in or not?
The idea also gives negative use cases - you can follow the computer connections for other purposes, but I think that they should not be discussed here.
Do not lose your gadgets!
Source: https://habr.com/ru/post/214953/
All Articles